Generating webapp using AWS cloudformation

In this post we will generate from scratch all the needed infrastucture to start a secure webapp using cloudformation :

Our architecture is composed of :

Standard WebApp Architecture_final

 

Dedicated VPC using ip range : 192.168.1.0/24

An internet gateway

4 subnets :

* Public subnet (DMZ) : 192.168.1.0/26 with

–> 2 servers :

==> Bastion server (To ssh into our servers)

==> Nat server (To forward servers traffic to the internet)

* Public ELB subnet : 192.168.1.64/26 ==> All our public ELBs goes to this subnet

==> An Elb in front of our apache web server

* Private App subnet : 192.168.1.128/26 ==> All our backend app servers goes to this subnet

==> An ec2 instance (debian) containing an apache2 web server

* Private DB subnet : 192.168.1.192/26 ==> To hold our database servers

==> An ec2 instance (debian) that will hold our postgresql database

2 routing tables :

* Public routing table associated with the public DMZ subnet

==> This routing table use the VPC internet gateway for all external traffic

* Private routing table associated with the private App subnet and the DB subnet

==> This routing table has a tag named : ‘netwrok’ and his value is ‘private’, so when the NAT instance boot it will modify this routing table and allow all external traffic from private subnets to traverse the NAT instance

An IAM policy called NatMonitPolicy (to update and create all needed routes when Nat instance bootup) with the following :

In order to generate this infrastuructre, the python script gen_webapp_aws.py do the following :

– Initialize logging

– Get all configuration values from the same file as our program but with a ‘.conf‘ extension, in our case gen_webapp_aws.conf

– Copying the template file secure-webapp-cfn.json to a new one called webapp-cfn-ENV_TAG_YYYYMMDD-HHmmSS.json where ENV_TAG refers to the ENV_ATG configuration variable from the gen_webapp_aws.conf file

– Substitute all variables inside the webapp-cfn-ENV_TAG_YYYYMMDD-HHmmSS.json file with the given ones inside the gen_webapp_aws.conf file (AWS_ACCOUNT_ID, ENV_TAG, INFRA_KEYPAIR, BASTION_AMI, BASTION_INST_TYPE, NAT_AMI, NAT_INST_TYPE, APP_KEYPAIR, PG_AMI, PG_INST_TYPE, BACK_AMI, BACK_INST_TYPE)

– Uploadwebapp-cfn-ENV_TAG_YYYYMMDD-HHmmSS.json to the given bucket CF_TEMPLATE_S3_BUCKET

– Upload the file cfn_webapp_stack_policy.json which contain our stack updating policy to the bucket CF_TEMPLATE_S3_BUCKET

– Validate all json templates

– Create the stack and printing all events.

secure-webapp-cfn